Monday, July 20, 2015

Looking Into The Structure of MBOX File

MBOX stands for Mailbox, which is a file format that holds a collection of email messages in plain text format. All the messages are stored in individual, long text format and the new messages are appended to the end of the file. MBOX stores the messages in RFC 2822, original Internet Message format, making it easily accessible.

Many desktop mail client like; Mozilla Thunderbird, Eudora, Entourage, etc., support MBOX file as their default message storage file. Each message starts with “From” header and ends with a blank line with no tags or space. Every message in the file is: prefaced by a separation line and terminates with an empty line. However, the first message is prefaced by separation line and others begin with two end-of-line sequence and separator line. MBOX file format is simple to understand and it is supported universally and can be opened even in Notepad which makes it investigation friendly.

Structure of “From”:
Structure of “From” is From sender date moreinfo:

   sender: It is a one word, indicates sender of message.

   date: It refers to standard C format time with 24 characters, indicating the delivery date of message.

   moreinfo: It contains the arbitrary or other information.

The storage of emails or messages is done by the mailbox file in a file with .mbox extension which denotes a respective folder from the email client configured profile: folder name.mbox like; Inbox.mbox, Outbox.mbox, etc.

Two Routes to Save Emails:
There are two ways to save emails: directory and concatenate message formats.

·         Directory Format: The Mail client creates an individual file for the messages and is stored in folder directory.
·         Concatenate Message Format: In this, all messages are stored in single file and makes up the mailbox.

Example of MBOX file opened in notepad;

What The Header Fields Indicate?

As we can see from the above picture that, there are certain fields in the header portion. Some of the fields are:

·         MIME Version: It indicates the MIME version and shows if the message is composed of MIME format.
·         Message-ID: It is a unique ID for the messages. Every message is provided a different message ID that makes it unique.
·         X-Priority: Indicates how important the message was for the sender by showing some numbers that denote the following:
1-   Highest
2-   High
3-   Normal
4-   Low
5-   Lowest
·         Return-Path: It indicates the path to which the email should reach if not delivered. It is not necessary that this ID remains the same as the sender’s ID but mostly it is.
·         Content-Type: Indicates the type of the content that is present inside the message body.
·         To: It indicates the person who receives the message.
·         From: It shows from where the message has arrived, i.e. the sender.
The first line of the header shows the information of the sender, the date and time at which the message is send. On the next line, it mentions the MIME-version, if any. Then, we can see the ID of the message, importance of the message through X-Priority, content type, etc. It also shows the body in HTML structure along with the tags.

How A Message is Read When Received?
Message is scanned by starting from the From_ lines. When it is seen, this portion indicates the starting of message. The message header starts with From address, date and time at which it was received. The message terminates with blank lines, i.e. until it sees an end-of-line and separator line. MBOX files can be opened and read on any form of text editors owing to their simple text based structure.

Further Details:
There are many locking mechanisms for MBOX. Some of them are:
·         flock(): This system call is used commonly for read and write lock.
·         Lockf: It allows exclusive locks only and is a POSIX locking (lockf()).
·         Dotlock: In this, writer has the exclusive lock on the MBOX. When this lock is called then, mailboxname.lock file is created.

Conclusion: MBOX file is supported universally for storing electronic mails. MBOX files allow faster appending of the files into the mailbox and makes searching of files easier. MBOX file extension is supported by many of the desktop mail clients and so, they can be carried to different client platforms. In addition, the file also proves advantageous for forensic purposes, as its readability is not restricted to a certain platform, i.e. the file is not dependent. Whereas, the locked files are slightly different than the standard MBOX files which makes all the difference in its structure as well as parsing.

No comments:

Post a Comment